Akamai: PLXsert Warns of Threat from SNMP Reflection DDoS Attacks

Cambridge,
MA |
May 22, 2014

Akamai Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today released, through the company's Prolexic Security Engineering & Response Team (PLXsert), a new distributed denial of service (DDoS) threat advisory. The advisory highlights a marked resurgence in the use of Simple Network Management Protocol (SNMP) reflection attacks throughout the past month. These DDoS attacks abuse the SNMP protocol, which is commonly supported by network devices such as printers, switches, firewalls and routers. The advisory is available for download from Prolexic (now part of Akamai) at www.prolexic.com/snmp-reflector.

Network devices hijacked for DDoS attacks

Many network devices use the SNMP protocol to store data, such as IP addresses on a router or the type of toner used in a printer. Further, older devices (those manufactured approximately three or more years ago) used SNMP version 2 and were commonly delivered with the SNMP protocol openly accessible to the public by default.

Through the use of GetBulk requests against SNMP v2, malicious actors can cause a large number of networked devices to send their stored data all at once to a target in an attempt to overwhelm the resources of the target. This kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic.

"The use of specific types of protocol reflection attacks such as SNMP surge from time to time," said Stuart Scholly, senior vice president and general manager. Security Business Unit, Akamai. "Newly available SNMP reflection tools have fueled these attacks."

Details of one of the SNMP attack tools are included in the DDoS threat advisory.

"Network administrators are encouraged to search for and secure SNMP v.2 devices," added Scholly. "The Internet community has been active in blacklisting the devices involved in recent DDoS attacks, but we also need network administrators to take the remediation steps described in the threat advisory. Network administrators can help prevent more devices from being found and used by malicious actors."

In the advisory, PLXsert shares its analysis and details about SNMP Reflector DDoS attacks, including:

How to identify an attack from the SNMP Reflector DDoS tool

Samples of source code

Payloads

IDS snort rule (attack signature)

Remediation instructions for owners of devices that support the SNMP v2 protocol

Prolexic, now part of Akamai, offers DDoS protection solutions that leverage proprietary DDoS filtering techniques and the world's largest cloud-based DDoS mitigation network. Akamai completed the acquisition of Prolexic in February 2014. Together with Prolexic, Akamai is providing customers with a comprehensive portfolio of security solutions designed to defend an enterprise's Web and IP infrastructure against application-layer, network-layer and data center attacks delivered via the Internet. To learn more about how Prolexic solutions stop DDoS attacks and protect business, please visit www.prolexic.com, or follow Prolexic on LinkedIn, Facebook, Google+, YouTube, and @Prolexic on Twitter.

About Akamai

Akamai® is the leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the Company’s solutions is the Akamai Intelligent Platform™ providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.